Resources

Senate report details Target's missed chances to stop data breach

The retail chain Target had a number of opportunities to stop the cyber thieves who stole the financial and personal information of as many as 110 million Target customers, according to a new report from the Senate Committee on Commerce, Science and Transportation.

Relying on media reports and published analyses from experts, the report lays out how exactly the data breach took place. The company relied on vulnerable vendors, ignored warning signs from its anti-intrusion software, and failed to isolate its most sensitive assets from the rest of its network.

The committee acknowledges in the report that "the complete story of how this breach took place may not be known until Target completes its forensic examination of the breach."

The attackers reportedly first gained access to Target's system by stealing credentials from one of its vendors, the report notes -- a Pennsylvania-based HVAC and refrigeration company, Fazio Mechanical Services. The company had remote access to Target's network for electronic billing, contract submission, and project management purposes. Attackers reportedly stole Fazio Mechanical's credentials for accessing the Target network by launching "phishing" attacks via email.

The first step to thwarting the attackers, the report notes, would have been limiting the information publicly available about Target's vendors.

Fazio, meanwhile, could have thwarted the attack early on by simply training its staff to recognize and report phishing emails. The company should have also been using real-time monitoring and anti-malware software, rather than a free version of anti-malware software that's intended for individual consumer use.

After the attackers succeeded in obtaining the Fazio credentials, they could have been stopped had Target required two-factor authentication for its vendors to access its network, the report says. That would entail providing the vendor's password, as well as proving a code sent to the vendor's cell phone or answering additional security questions. "According to a former Target vendor manager, Target rarely required two-factor authentication from its low-level contractors," the report says.

Once the attackers accessed the Target network and installed malware to scrape for customers' data, Target should have followed up on the "several alerts that were triggered at the time of malware delivery," the report says. Alternatively, it could have let its malware intrusion software to automatically delete any detected malware.

The attackers sent the stolen data to outside servers, at least one of which was Russia, but that step could have been blocked as well. Target could have taking protective steps -- such as employing a technique called "white listing," which only lets approved processes run on a machine. "A white list could have dismissed connections between Target's network and Russia-based Internet servers," the report says.

The report will the be the subject of a congressional hearing Wednesday, where Target's Executive Vice President and Chief Financial Officer, John Mulligan, will testify. Mulligan apologized to the Senate Judiciary Committee Tuesday last month.